All,
TL:DR; Lets work together and openly on security review and threat
analysis for OpenStack
I've discussed this for a while within the security group but now I'm
sharing more widely here on -dev.
There are currently scores of security reviews taking place on OpenStack
architecture, projects and implementations. All the big players in
OpenStack are conducting their own security reviews, we are all finding
things that should be addressed in the community and I'm sure that we
are all missing things that others have found too.
There's very little commercial value in holding onto security review
data. I am, appealing to the security people out there in the community
to come together and share expertise on Threat Modelling/Analysis in
OpenStack. There's already been some excellent path-finding here (
https://wiki.openstack.org/wiki/Security/Threat_Analysis ).
My long term aspiration is that Threat Analysis and Penetration Testing
eventually gets performed in the open, in a collaborative process
between several organisations, all finding issues, opening bugs and
submitting patches together. With each organisation performing internal
audits on their deltas for secret source / value added stuff. I believe
by doing this we can raise the bar on all of our collective security
efforts while decreasing the massive duplication of effort that's going
on right now.
The security group is having a mid-cycle sprint in July, we are looking
to cover a lot of ground (
https://etherpad.openstack.org/p/ossg-juno-meetup ) but one of the
primary topics we will be focussing on is the Threat Modelling process.
How it can be shaped and how it should move forward. I hope that some of
you can be there and if not, that we can get the sharing and
collaboration of security reviews onto the security agenda at your
respective organisations.
Cheers
-Rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6187 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140612/c355da0d/attachment.bin>